How to avoid a costly data breach

Data security is an essential cost of doing business for online retailers, says Lisa Sotto, a partner at law firm Hunton & Williams who specializes in data security matters. However, too many retailers don’t have adequate controls in place, she says.

Sotto’s firm has represented roughly 800 companies in dealing with security breaches—including four this week—she says, and has advised many others on how to set up data security programs. “Every time a new client comes and says ‘We really don’t have anything in place,’ it’s shocking,” she says. Yet she estimates that 80% of those asking to set up a program only do so after a breach has occurred.

That’s an expensive lesson to learn, she says. Last year, the average cost of a data breach was $5.5 million, according to a benchmark report by privacy management research organization the Ponemon Institute, which analyzed data breaches at 49 U.S. companies in 14 industries, including retail. That takes into account such expenses as hiring forensics experts, outsourcing hotline support, providing free credit monitoring and future discounts for affected customers, in-house investigations and the value of lost sales from customers not making repeat purchases or the added difficulty in acquiring new customers, Ponemon says. Hackers acquired data on between 4,500 and 98,000 records in the breaches studied; Ponemon considers data breaches that affect more than 100,000 records to be atypically large in the United States.

To avoid being hacked and compromising company and consumer data, retailers need to set up a security program that includes technology, policy, training and procedures, then work to stay abreast of global security trends, she says.

“The difficulty in the data security world is that there’s not a playbook that any regulatory agency has put out with respect to security,” Sotto says. “There are many, many different standards and the question is which to follow.”

She says the International Security Organization’s standards have become a common choice among retailers. The ISO is a non-governmental network of the national standards institutes of 156 countries that develop security standards in areas including cybersecurity and personal identification.

However, following these guidelines only helps so much. “The very minute you put pen to paper and put a security standard in place, it becomes superseded by technology and criminals that find a way around it,” Sotto says. “By its very nature, security has to respond to current threats. So, I.T. pros need to keep up.” She recommends that retailers hire an information security expert or, if they can’t afford one, hire a consultant whose job is to follow what’s happening in the world of technology, security, policy and cybercrime.

“Do not expect that your I.T. group will take care of it, it needs to be a specific focal point,” she says, adding that many retailers tell her they believe the information technology group is managing security. That’s a mistake, she says. “I.T. groups function to facilitate access to systems, not protect against it.”

In fact, the Ponemon Institute report says that, in the event of a data breach, companies who employed an information security officer with overall responsibility for their data had up to an $80 reduction in related costs per each compromised record, and companies who hired a consultant to do the job had up to a $41 cost reduction per record.

“When considering the average number of records lost or stolen, all of these factors can provide significant and positive financial benefits,” the Institute says.

Retailers also must keep an eye on the information their vendors can access. Sotto says vendors sometimes have access to personal data and, in some cases, are the ones criminals attack. When that happens, it is the retailer’s reputation on the line because it, not the vendor, must notify all compromised customers. And unless a retailer has a prior agreement with the vendor, it bears all the associated legal, communications, public relations and other costs.

“Everybody maintains data, and that data is vulnerable,” says Sotto. “It needs to be protected like any other critical company asset. The fact that there are constantly hackers going after that data should certainly light a fire under anyone who does business online to set up best practices.”